White House unveils broad, multipronged effort to combat botnets
The Obama administration unveiled a new, national public/private, multi-industry, interagency plan to stem the spread of malware that harnesses personal computers into criminal and questionable activities into what the administration called one of the biggest threats to Internet security.
White House Cyber security coordinator Howard Schmidt, along with a host of government and private industry officials, including DHS secretary Janet Napolitano, announced the initiative on May 30. Schmidt said in announcing the program "the pervasive presence of malware is not the price of doing business." The malware, said the Commerce Department, has a significant impact on the economy because it can lead to increased cost of doing business and put affected companies at a competitive disadvantage
Botnets, said the Commerce Department, have been estimated to have infected one out of every ten of the millions of personal computers in the U.S. The White House has teamed with trade associations, privacy rights groups, Internet Service Providers to establish voluntary industry best practices to fight the threat.
Botnets are formed from groups of computers that have been compromised by malicious software and then used as bases to execute criminal or espionage action on behalf of remote operators, expose consumers’ private and financial information to hackers, slow down and harm consumers’ computers, and turn consumers into unwitting disseminators of spam emails.
The White House Cyber security Office and the U.S. Departments of Commerce and Homeland Security (DHS), have coordinated with private industry to lead the Industry Botnet Group (IBG), a group of nine trade associations and nonprofit organizations representing thousands of companies across information, communications, and financial services industries, said the Commerce Department.
“The issue of botnets is larger than any one industry or country. This is why partnership is so important,” said Schmidt. “The principles the IBG are announcing today draw on expertise from the widest range of players, with leadership coming from the across the private sector, and partnering with the government on items like education, consumer privacy and key safeguards in law enforcement.”
The IBG, said the Commerce Department, was formed in response to a September 2011 request for information issued from Commerce and DHS to learn more about existing efforts and new areas to explore combating botnets.
“Cyber security is a shared responsibility – the responsibility of government, our private sector partners, and every computer user,” said Napolitano. “DHS has set out on a path to build a Cyber system that supports secure and resilient infrastructure, encourages innovation, and protects openness, privacy and civil liberties.”
“Botnets continue to increase the price of doing business online and place our companies at a competitive disadvantage, while threatening our individual privacy,” said Under Secretary of Commerce for Standards and Technology Patrick Gallagher. “Today’s efforts are only the beginning of the actions we can take, but working together through this public-private partnership we can start to combat these challenges.”
“No one entity can combat these security challenges alone,” said Liesyl Franz, vice president for Cyber security policy at TechAmerica, speaking on behalf of the IBG. “Individually we can take measures to defend ourselves, and together we can do even more to protect the ecosystem.”
The Industry Botnet Group and government partners announced new and expanded initiatives to combat botnets on May 30.
The IBG unveiled a list of principles for voluntary efforts to reduce the impact of botnets in Cyber space, including coordination across sectors, respect for privacy, and sharing lessons learned. The group also developed a framework for shared responsibility across the botnet mitigation lifecycle from prevention to recovery that reflects the need for ongoing education efforts, innovative technologies, and a feedback loop throughout all phases.
The Financial Services Information Sharing and Analysis Center (FS-ISAC), which cooperates closely with DHS and the Treasury Department, is conducting a pilot program to share information on botnets this year that will lead to standards that can be more widely used for botnet information sharing outside of the financial services sector.
Several IBG members are launching a “Keep a Clean Machine” education program for consumers supported by DHS, the Federal Trade Commission (FTC), the National Cybersecurity Alliance and several companies.
The FBI and Secret Service, said Commerce, have recently stepped up private sector information sharing, and their coordinated efforts have shut down massive criminal botnets such as Coreflood, which compromised millions of private computers and lead to the theft of millions of dollars.
Commerce’s National Institute of Standards and Technology (NIST) is holding a workshop in June to highlight technical work in this area, including standards and metrics. The Internet Engineering Task Force and Messaging Anti-Abuse Working Group, independent standards organizations, have a growing number of standards related to fighting botnets. NIST has promoted related international standards and metrics in the Organization of Economic Cooperation and Development, and the Asia-Pacific Economic Cooperation. NIST will also highlight new research projects and technologies to combat botnets and speed remediation at today’s workshop.
The initiatives, said Commerce, are intended to support voluntary, private sector-led efforts, allowing industry to respond nimbly to dynamic cyber threats. The agency emphasized that the initiatives don’t prescribe any particular means or method and allow for flexibility in application by a wide range of participants and business models.
The IBG is using a proven model that the Financial Services Information Sharing and Analysis Center (FS- ISAC) and Banking Infrastructure and Technology Services (BITS) are using. Additionally, the IBG’s efforts are complementary to the Federal Communication Commission's ‘Code of Conduct’ on collaborative recommendations for the ISPs.